1. Technical Field
The present disclosure relates to multi-level secure information retrieval systems. More particularly, the present disclosure relates to a multi-level security system for enabling secure file sharing across multiple security levels and a method thereof.
2. Discussion of Related Art
Businesses and government need verifiably secure platforms to field high-assurance Multiple Levels of Security (MLS) systems for the management of classified and other high-valued information, whose confidentiality, integrity and/or releasability must be protected.
The United States Department of Defense (DoD) has mandated that the Global Information Grid (GIG) will be the primary technical framework to support U.S. network-centric warfare and network-centric operations. Under this directive, all advanced weapons platforms, sensor systems, and command and control centers are eventually to be linked via the GIG. Network-Centric Operations (NCO) is characterized by the sharing of information at all security levels between new and legacy systems within the GIG. Information that is passed between and within these systems must be shared securely to protect military personnel and not compromise the mission. In the commercial sector, dominant competitors have developed information superiority and translated it into a competitive advantage by making the shift to network-centric operations.
Based on current and emerging doctrine for DoD, Network-Centric Warfare (NCW) capabilities seek to translate an information advantage, enabled in part by information technology, into an increased combat power through the robust networking of well-informed geographically dispersed forces. NCW is more about networking than networks. It is about the increased combat power that can be generated by a network-centric force. A robustly networked force improves information sharing, which, in turn, enhances the quality of information and shared situational awareness. Shared situational awareness enables collaboration and self-synchronization, and enhances sustainability and speed of command, and these, in turn, have the potential to dramatically increase mission effectiveness. These capabilities will assist in increasing the common operational picture, or more correctly, the common operational understanding, of all players within the networked battlespace. In essence, NCW translates information superiority into combat power by effectively linking knowledgeable entities in the battlespace.
The United States Air Force (USAF) and other DoD services and agencies have a need for MLS solutions to ensure the protection of classified data and sensitive information related to national security. For example, MLS operation is a prerequisite to providing embedded airborne platform network connectivity. Types of government security levels include: Top Secret (TS); Secret (S); Confidential (C); and Unclassified (U). These MLS security levels may be supplemented with “need to know” classification labels (e.g., Special Access Required (SAR)), organizational limits (e.g., Army, Navy, DoD) and/or time limits. Categories that are not classifications include: Sensitive Compartmented Information (SCI); and Special Access Programs (SAP).
Providing efficient transfer of information between networks having different levels of security classification in network-centric warfare and network-centric operations is difficult. An example of a computer security policy is the Bell-LaPadula (BPL) security model. The BPL model uses concepts such as domination of the MLS security level over both a process and the subject (a data object). Some examples of process rules under the BPL model are: NRU—No Read Up (a lower security level cannot read a document at a higher security level); and NWD—No Write Down (a higher level cannot write down to a lower MLS level). The strategy is based on a coupling of special microprocessor hardware features, often involving the memory management unit, to a special correctly implemented operating system kernel. This forms the foundation for a secure operating system which, if certain critical parts are designed and implemented correctly, can ensure the absolute impossibility of penetration by hostile elements. This capability is enabled because the configuration not only imposes a security policy, but in theory completely protects itself from corruption. Ordinary operating systems, on the other hand, lack the features that assure this maximal level of security. An example of a system architecture including an ordinary operating system is shown in FIG. 1.
The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements. The Evaluation Assurance Level (EAL 1 through EAL 7) of an information technology (IT) product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation. Higher EALs reflect added assurance requirements that must be met to achieve a particular certification. The EAL level does not measure the security of the system itself; it simply states at what level the system was tested.
To achieve a particular EAL, the computer system must generally meet specific assurance requirements. Most of these requirements involve design documentation, design analysis, functional testing, and/or penetration testing. The EAL number assigned to a certified system indicates that the system completed all requirements for that level. In some cases, the evaluation may be augmented to include assurance requirements beyond the minimum required for a particular EAL. Officially this is indicated by following the EAL number with the word augmented and usually with a list of codes to indicate the additional requirements. As shorthand, vendors will often simply add a “plus” sign (as in EAL4+) to indicate the augmented requirements.
The higher EALs involve more detailed documentation, analysis, and testing than the lower ones. Achieving a higher EAL certification therefore generally costs more money and takes more time than achieving a lower one. Some embedded avionics systems operate at a “system high” classification protocol, meaning that all data residing on the system must be treated as if classified at the aggregate classification level of all system resident data. Operating at system high has the drawback that it is difficult to generate outputs that are at a lower level than system high, and this prevents the system from operating collaboratively with other systems not at the same level. This negatively impacts system performance by restricting and/or delaying data sharing with other networked systems, a constraint that directly conflicts with the goal of improved information sharing. Operating at system high also increases total system cost of ownership by requiring system operators to clear all personnel that touch the system to the aggregate classification of all hosted data. Another approach to enable secure file sharing across multiple security levels is to maintain separate file stores for each security enclave with a complete copy of each lower enclave in addition to its own data (e.g., the secret file store keeps a complete copy of the unclassified file store). This has drawbacks in weight and power requirements and the wasted disk space for redundant copies of data at each enclave. In an alternative approach, the file system is configured to encrypt whole files instead of individual disk blocks. The drawbacks to this approach are that an entire file must be read from the disk and decrypted before any part of it can be read. Running the security software at a higher level of logical abstraction also makes eliminating leaks and covert channels more difficult.
Multiple independent levels of security (MILS) operating systems known as separation kernels have been developed to provide full data separation and hence MLS operation. MILS is a component-based high-assurance security computer architecture based on the concepts of separation and controlled information flow. An example of a system architecture including an operating system employing a separation kernel is shown in FIG. 2. MILS is implemented through the utilization of separation mechanisms that support both untrusted and trustworthy components, thus ensuring that the total security solution is nonbypassable, evaluatable, always invoked, and tamperproof. A MILS solution allows for independent evaluation of security components and trusted composition. A system incorporating a MILS solution, sometimes referred to as a MILS system, employs one or more separation mechanisms (e.g., separation kernel, separation communication system, physical separation) to maintain assured data and process separation. A MILS system supports enforcement of one or more application/system specific security policies by authorizing information flow only between components in the same security domain or through trustworthy security monitors (e.g., access control guards, downgraders, crypto devices, etc.). In some systems of this type, data separation is achieved between different virtual address spaces on a single processor, as opposed to across multiple processors typically found in an embedded avionics system or multiple networked systems.
The Galois Trusted Services Engine (TSE) provides read-down MLS access control in a MILS separation kernel. The TSE uses physically separate disks wherein the content of each disk is stored in plaintext and the mechanism of separation is their block access controller. There are a number of MLS file systems included in MLS operating systems, including low-robustness to medium-robustness systems like Trusted Solaris and Security-Enhanced Linux (SELinux) where the amount of software that needs to be trusted is quite large. There are a few high-robustness operating systems, like the Gemini Secure Operating System (GEMSOS), developed to run on desktop-type systems.
FIG. 3 shows an abstract view of a separation kernel that is known in the prior art for the separation of information within a single processor. As illustrated in FIG. 3, the separation kernel may be configured to ensure that only the information flows depicted by the arrows actually occur. Furthermore, the separation kernel may be configured to ensure that no critical task is bypassed. Another purpose of the separation kernel is to ensure that each task's private data remains private, i.e., to ensure that other partitions cannot detect, even by deduction, that another partition is receiving or processing data. One partition should be configured such that it is not aware of the other partitions and it is itself transparent to the other partitions.
As illustrated in FIG. 3, the separation kernel (shown generally as 300) may include a red protocol machine (“RPM”) 310, which may be configured to receive unencrypted data (i.e., red data) from, for example, a partition within a processor or computer. The red protocol machine 310 may also receive information from the red verifier (“RV”) 321, which is being sent into the processor or computer. When red data is received by the red protocol machine 310, it is transferred to a trusted red switch (“TRS”) 320, which is trusted to receive red information and route that information to the proper encryption algorithm E1, E2, or E3 330, 331, 332, respectively. In one configuration, the separation kernel 300 may include an encryption algorithm that is uniquely associated with the particular sensitivity of information. Furthermore, the trusted red switch 320 may be configured to route data of a particular sensitivity to the correct associated encryption algorithm. Once the appropriate encryption algorithm 330, 331, 332 has been applied to the data, the data may be output to the black verifier (“BV”) 340, which may be configured to ensure that the data output from the encryption algorithms is properly encrypted. The black verifier 340 may then pass the data on to the black protocol machine (“BPM”) 350. The black protocol machine 350 may be configured to receive encrypted data (i.e., black data) from both the black verifier 340 and from other locations within a processor or computer, such as, for example, a storage device. The black protocol machine 350 may receive this data and send it to a black switch (“BS”) 340. The black switch 340 may be configured to receive encrypted data from the black protocol machine 350 and route that data to the appropriate decryption algorithm for further processing. The decryption algorithms (D1, D2, D3) 333, 334, 335 may be associated with particular types of classified data that may be utilized in the system. Furthermore, decryption algorithms 333, 334, and 335 may be configured to decrypt data that was encrypted with an associated encryption algorithm 330, 331, or 332. After the data has been decrypted by the decryption algorithms 333, 334, 335 it may be passed to the red verifier (“RV”) 321, which may be configured to ensure that the data has been appropriately decrypted and to send the data into the red protocol machine 310 to be input into a proper partition within, for example, the processor, for further processing.
The separation kernel is one example of how information of different sensitivities may be permitted to flow within a given processor. Using a separation kernel, an operating system may be configured to be trusted to ensure that the information flow within the processor can be trusted not to improperly allow access to classified information. The separation kernel, however, has been traditionally limited to single-processor systems. The prior art has failed to prove that the same level of trust may be maintained when the information is flowing on a common network between computers having different permissions and which may be configured to have access to predetermined sensitivities or classifications of information.
Thus, there is a need for a multi-level security system for enabling secure file sharing across multiple security levels.